Question No: 621 – (Topic 3)

The security administrator is observing unusual network behavior from a workstation. The workstation is communicating with a known malicious destination over an encrypted tunnel. A full antivirus scan, with an updated antivirus definition file, does not show any signs of infection.

Which of the following has happened on the workstation?

Zero-day attack

Known malware infection

Session hijacking

Cookie stealing

Answer: A Explanation:

The vulnerability was unknown in that the full antivirus scan did not detect it. This is zero day vulnerability.

A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it-this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

Question No: 622 – (Topic 3)

Which of the following describes how Sara, an attacker, can send unwanted advertisements to a mobile device?

Man-in-the-middle

Bluejacking

Bluesnarfing

Packet sniffing

Answer: B Explanation:

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol.

Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters.

Bluejacking is usually harmless, but because bluejacked people generally don#39;t know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it#39;s possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames.

Question No: 623 – (Topic 3)

When an order was submitted via the corporate website, an administrator noted special characters (e.g., quot;;-quot; and quot;or 1=1 -quot;) were input instead of the expected letters and numbers.

Which of the following is the MOST likely reason for the unusual results?

The user is attempting to highjack the web server session using an open-source browser.

The user has been compromised by a cross-site scripting attack (XSS) and is part of a

botnet performing DDoS attacks.

The user is attempting to fuzz the web server by entering foreign language characters which are incompatible with the website.

The user is sending malicious SQL injection strings in order to extract sensitive company or customer data via the website.

Answer: D Explanation:

The code in the question is an example of a SQL Injection attack. The code ‘1=1’ will always provide a value of true. This can be included in statement designed to return all rows in a SQL table.

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application#39;s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Question No: 624 – (Topic 3)

Which of the following is BEST used to capture and analyze network traffic between hosts on the same network segment?

Protocol analyzer

Router

Firewall

HIPS

Answer: A Explanation:

A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent from two systems that are not communicating properly could help determine the cause of the issue.

Question No: 625 – (Topic 3)

An administrator notices an unusual spike in network traffic from many sources. The administrator suspects that:

it is being caused by the presence of a rogue access point.

it is the beginning of a DDoS attack.

the IDS has been compromised.

the internal DNS tables have been poisoned.

Answer: B Explanation:

A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer.

One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload.

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.

Question No: 626 – (Topic 3)

Sara, the Chief Information Officer (CIO), has requested an audit take place to determine what services and operating systems are running on the corporate network. Which of the following should be used to complete this task?

Fingerprinting and password crackers

Fuzzing and a port scan

Vulnerability scan and fuzzing

Port scan and fingerprinting

Answer: D Explanation:

Different services use different ports. When a service is enabled on a computer, a network port is opened for that service. For example, enabling the HTTP service on a web server will open port 80 on the server. By determining which ports are open on a remote server, we can determine which services are running on that server.

A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.

A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.

Fingerprinting is a means of ascertaining the operating system of a remote computer on a network. Fingerprinting is more generally used to detect specific versions of applications or protocols that are run on network servers. Fingerprinting can be accomplished “passively” by sniffing network packets passing between hosts, or it can be accomplished “actively” by transmitting specially created packets to the target machine and analyzing the response

Question No: 627 – (Topic 3)

How often, at a MINIMUM, should Sara, an administrator, review the accesses and rights of the users on her system?

Annually

Immediately after an employee is terminated

Every five years

Every time they patch the server

Answer: A Explanation:

Reviewing the accesses and rights of the users on a system at least annually is acceptable practice. More frequently would be desirable but too frequently would be a waste of administrative time.

Question No: 628 – (Topic 3)

Which of the following software allows a network administrator to inspect the protocol header in order to troubleshoot network issues?

URL filter

Spam filter

Packet sniffer

Switch

Answer: C Explanation:

Every data packet transmitted across a network has a protocol header. To view a protocol header, you need to capture and view the contents of the packet with a packet sniffer.

A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.

Question No: 629 – (Topic 3)

Joe, an administrator, installs a web server on the Internet that performs credit card transactions for customer payments. Joe also sets up a second web server that looks like the first web server.

However, the second server contains fabricated files and folders made to look like payments were processed on this server but really were not. Which of the following is the second server?

DMZ

Honeynet

VLAN

Honeypot

Answer: D Explanation:

In this scenario, the second web server is a ‘fake’ webserver designed to attract attacks. We can then monitor the second server to view the attacks and then ensure that the ‘real’ web server is secure against such attacks. The second web server is a honeypot.

A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies.

According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes:

The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned.

The hacker can be caught and stopped while trying to obtain root access to the system.

By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

There are two main types of honeypots:

Production – A production honeypot is one used within an organization#39;s environment to help mitigate risk.

Research – A research honeypot add value to research in computer security by providing a platform to study the threat.

Question No: 630 – (Topic 3)

How must user accounts for exiting employees be handled?

Disabled, regardless of the circumstances

Disabled if the employee has been terminated

Deleted, regardless of the circumstances

Deleted if the employee has been terminated

Answer: A Explanation:

You should always disable an employee’s account as soon as they leave. The employee knows the username and password of the account and could continue to log in for potentially malicious purposes. Disabling the account will ensure that no one can log in using that account.